Uploaded by Ajai Srivastava

cloud-certification-en

advertisement
ISO/IEC 27018
Cloud Certification
Are you sure your Personally Identifiable Information
(PII) is safe?
When entrusting your sensitive data to a cloud provider
you would like to be sure that data is as safe as if you took
care of it personally. Our certification extends the widely
recognized ISO/IEC 27002 standard using considerations
concerning Personally Identifiable Information (PII) to
leverage the internationally accepted ISO/IEC 27018 cloud
certification framework.
• ISMS direcitves
• ISMS policies
• ISMS concepts and
working procedures
• Management
direction for
information security
• Builds on ISO/IEC
27002 framework
• C
onsent and choice
• Purpose legitimacy and
specification
• Use, retention and disclosure
limitation
The certification goes beyond technical aspects in order to
get a holistic view on the cloud environment which may
range from a commodity IaaS offering to a sophisticated
SaaS. Our certification let’s you tailor the scope to your
needs to make sure you get the kind of certification that
best reflects your needs.
• A
ccountability
• C
onfidentiality agreements /
contracts
Human
Resources
Security
Information
Security
• Business
requirements
• User Access Control
management
• User responsibilities
• Monitoring and
review of
unauthorized
access
• Mobile security
ISO/IEC 27018 April 2018
Personally
Identifiable
Identification
Asset
Control
• P
rior to employment
• During employment
• Termination of
employment
• Protection of
employee’s records
• Physical
environmental
security
Operations
Security
• Operational
procedures and
responsibilities
• B
ackup
• L
ogging and
monitoring
• Change
Management
• C
onfiguration &
Release
Management
What are the challenges?
Key issues
• Management of key information assets by a 3rd party
(either external or internal)
• Availability and reliability of an environment which is
operated by someone else
• Security aspects since the solution must be accessible
from everywhere
• Monitoring of crucial human resources by the HR function
in order to ensure safe behavior Information protection of
sensitive enterprise information
• Detection of non-compliance, adequate and timely
reaction
• Ineffective coverage of legal and regulatory requirements;
inefficient use of resources
• Always on: customers expect a cloud-based solution to be
always available and performance not to be impacted at any
time
• Data leakage prevention, espionage, intellectual property
protection: surveillance and screening of employees, e-mails
and IT systems compliant with labor law
• Backup quality and archiving: customers no long perform
their own backups. They assume that the provider has
chosen a best-in-class solution to make sure data can
always be retrieved
• Outsourcing and offshoring: enforcement of IT related
contract clauses and misaligned control frameworks;
assurance on effectiveness of controls operated by supplier;
compliance with data protection laws and regulations
• Lack of control: if a third party takes over then customers
expect a reliable and accountable
• Business partner. Ideally, the cloud service has been
certified by and independent auditor
Approach Certification Audit
Certification Audit
Stage I: Documentation Audit
Stage II: Implementation Audit
Identify Risks / Gaps (Pre-Audit)
•
•
•
•
Health Check Gap Analysis
Risk Assessment
Review of Policies and Guidelines
Review of pre-selected control
objectives based on ISO/IEC 27018
•
•
•
•
Conduct on-site audits and planning
Involve subject matter specialists
Documentation audit
Take and assess samples in the cloud
environment
• Walkthrough audits and site inspections
• Technical console testing
• Create a draft audit report
Audit Report and certificate
issuance ISO/IEC 27018
•
•
•
•
Discuss the draft report with the client
Finalize the reporting using client input
Release the final report
Countermeasure planning of nonconformities, observations, and
recommendations
• Issuance the ISO/IEC 27018 certificate
if the cloud is deemed mature enough
• Planning for the surveillance audit
Why KPMG?
Our interdisciplinary team of experts provides a long and in-depth experience in the fields of Information
Governance, Data Protection, Information Security and IT law. The global network of KPMG supports organizations
throughout the world to identify weaknesses to the implementation of Information Management Governance.
Contact
KPMG AG
Badenerstrasse 172
PO Box
CH-8036 Zurich
kpmg.ch/ipbr
Matthias Bossardt
Partner
Head of Cyber Security
Reto Grubenmann
Director, Consulting
Head of Certification Services
Reto Mathys
Manager
Certification Services
+41 58 249 36 98
mbossardt @kpmg.com
+41 58 249 42 46
[email protected]
+41 58 249 26 27
[email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be
no guarantee that such information is accurate as of the date it is received, or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
© 2018 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
ISO/IEC 27018 April 2018